Cross-site scripting in WeGIA - CVE-2025-53936
Published: April 30, 2026
Vulnerability identifier: #VU128685
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2025-53936
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
WeGIA
WeGIA
Software vendor:
LabReDeS
LabReDeS
Description
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to improper neutralization of input during web page generation in the personalizacao_selecao.php endpoint when processing the nome_car parameter in POST requests. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.
User interaction is required for the reflected payload to be executed in the victim's browser.
Remediation
Install security update from vendor's website.